Phishing attacks highlight differences in instant messaging security

Gmail and Yahoo! account holders are amongst those who have recently
been targeted by a major phishing attack on their instant messaging
systems aimed at stealing account log-in details. As with attacks on
email systems a lot of the onus is on users not to click on links from
untrusted users, however this does highlight a fundamental difference
between the levels of security on centralised (public) and
decentralised (private) IM networks.

With many centralised IM platforms every username has to be unique, so
users often have to find ways to create an account name that is
available (e.g. Fred123) rather than one that necessarily indicates
their credentials. This can make verifying the identity of contacts a
difficult task – as how can you know that Fred123 is your friend or
not?

With an open-standard IM platform users are generally less susceptible
to phishing attacks. As it is a decentralised network you can only
connect with the domain names (typically their email address) of
the users that you trust and when a server connects to your server it
has to provide valid credentials to prove that they are the domain they
say they are. Also a server can automatically block messages from
users not on your contact list, significantly reducing the temptation
to click on untrusted links in the first place.

The message here is that users should always avoid opening links from
untrusted sources, however it is up to IM platforms to make it as easy
as possible for users check the identity of the contacts they are
chatting with.